softprops · Gnyblast · Mar 7, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 13, 2025
diff --git a/build.zig.zon b/build.zig.zon
@@ -1,5 +1,6 @@
 .{
-    .name = "jwt",
+    .name = .jwt,
+    .fingerprint = 0x8d17cdf07e2c9836,
     .version = "0.1.0",
     .minimum_zig_version = "0.13.0",
     .dependencies = .{

diff --git a/src/decode.zig b/src/decode.zig
@@ -65,6 +65,37 @@ pub fn decode(
     return error.MalformedJWT;
 }
 
+pub fn decodeNoVerify(
+    allocator: std.mem.Allocator,
+    comptime ClaimSet: type,
+    str: []const u8,
+) !JWT(ClaimSet) {
+    var arena = try allocator.create(std.heap.ArenaAllocator);
+    arena.* = std.heap.ArenaAllocator.init(allocator);
+    errdefer {
+        arena.deinit();
+        allocator.destroy(arena);
+    }
+    if (std.mem.count(u8, str, ".") == 2) {
+        const sigSplit = std.mem.lastIndexOfScalar(u8, str, '.').?;
+        const messageEnc = str[0..sigSplit];
+
+        const header = try decodePart(arena.allocator(), Header, messageEnc[0..std.mem.indexOfScalar(u8, messageEnc, '.').?]);
+        const claims = try decodePart(
+            allocator,
+            ClaimSet,
+            messageEnc[std.mem.indexOfScalar(u8, messageEnc, '.').? + 1 ..],
+        );
+
+        return .{
+            .arena = arena,
+            .header = header,
+            .claims = claims,
+        };
+    }
+    return error.MalformedJWT;
+}
+
 pub fn verify(
     allocator: std.mem.Allocator,
     algo: Algorithm,
@@ -86,6 +117,9 @@ pub fn verify(
                 .secret => |v| v,
                 else => return error.InvalidDecodingKey,
             });
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             if (!std.crypto.utils.timingSafeEql([dest.len]u8, src, dest)) {
                 return error.InvalidSignature;
@@ -98,6 +132,9 @@ pub fn verify(
                 .secret => |v| v,
                 else => return error.InvalidDecodingKey,
             });
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             if (!std.crypto.utils.timingSafeEql([dest.len]u8, src, dest)) {
                 return error.InvalidSignature;
@@ -110,13 +147,19 @@ pub fn verify(
                 .secret => |v| v,
                 else => return error.InvalidDecodingKey,
             });
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             if (!std.crypto.utils.timingSafeEql([dest.len]u8, src, dest)) {
                 return error.InvalidSignature;
             }
         },
         .ES256 => {
             var src: [std.crypto.sign.ecdsa.EcdsaP256Sha256.Signature.encoded_length]u8 = undefined;
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             std.crypto.sign.ecdsa.EcdsaP256Sha256.Signature.fromBytes(src).verify(msg, switch (key) {
                 .es256 => |v| v,
@@ -127,6 +170,9 @@ pub fn verify(
         },
         .ES384 => {
             var src: [std.crypto.sign.ecdsa.EcdsaP384Sha384.Signature.encoded_length]u8 = undefined;
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             std.crypto.sign.ecdsa.EcdsaP384Sha384.Signature.fromBytes(src).verify(msg, switch (key) {
                 .es384 => |v| v,
@@ -147,6 +193,9 @@ pub fn verify(
         // },
         .EdDSA => {
             var src: [std.crypto.sign.Ed25519.Signature.encoded_length]u8 = undefined;
+            if (src.len != sig.len) {
+                return error.InvalidSignature;
+            }
             @memcpy(&src, sig);
             std.crypto.sign.Ed25519.Signature.fromBytes(src).verify(msg, switch (key) {
                 .edsa => |v| v,

diff --git a/src/encode.zig b/src/encode.zig
@@ -101,7 +101,7 @@ pub fn encode(
     key: EncodingKey,
 ) ![]const u8 {
     comptime {
-        if (@typeInfo(@TypeOf(claims)) != .Struct) {
+        if (@typeInfo(@TypeOf(claims)) != .@"struct") {
             @compileError("expected claims to be a struct but was a " ++ @typeName(@TypeOf(claims)));
         }
     }